OpenSSH uses SHA1 as a default digest for SSHFP records for RSA/DSA algorithms. RFC 6594 permits using much more secure SHA256 algorithm with SSHFP records. SHA256 is already default digest for Ed25519 and ECDSA SSHFP records. The straightforward PR: https://github.com/openssh/openssh-portable/pull/259
I commented on the pull request too, but I don't think your change actually does anything. While iterating the rrset, the existing code uses the digest type from the DNS record: if (hostkey_digest_type != dnskey_digest_type) { hostkey_digest_type = dnskey_digest_type; free(hostkey_digest); /* Initialize host key parameters */ if (!dns_read_key(&hostkey_algorithm, &hostkey_digest_type, &hostkey_digest, &hostkey_digest_len, hostkey)) { If we add a couple of debug calls to the current code you can see it verifies both fingerprint types (this machine has SHA1 and SHA256 RSA fingerprints): $ ./ssh -vvv -o verifyhostkeydns=ask -o hostkeyalgorithms=rsa-sha2-256 fw 2>&1 | grep -i dns debug3: verify_host_key_dns debug1: found 4 insecure fingerprints in DNS debug3: verify_host_key_dns: checking SSHFP type 4 fptype 1 debug3: verify_host_key_dns: checking SSHFP type 1 fptype 1 debug1: verify_host_key_dns: matched SSHFP type 1 fptype 1 debug3: verify_host_key_dns: checking SSHFP type 3 fptype 2 debug3: verify_host_key_dns: checking SSHFP type 1 fptype 2 debug1: verify_host_key_dns: matched SSHFP type 1 fptype 2 It'll return success if either validate, though, which is probably not ideal. It should probably ensure that all fingerprints match.
Created attachment 3539 [details] Simplify verify_host_key_dns() and verify all fingerprints I think this is what it should do: verify all fingerprint types present in DNS. If any fail to verify the overall check fails.
Yes, it's a proper solution for the verification. I'm more disturbed about creating the new records - I got a (possible wrong) impression that the default value is used on creation.
> I got a (possible wrong) impression that the default value is used on creation. Creation of the SSHFP records? It iterates over the available digest types in export_dns_rr(): for (dtype = SSHFP_HASH_SHA1; dtype < SSHFP_HASH_MAX; dtype++) { rdata_digest_type = dtype; if (dns_read_key(&rdata_pubkey_algorithm, &rdata_digest_type, &rdata_digest, &rdata_digest_len, key)) { $ ./ssh-keygen -r fw fw IN SSHFP 1 1 [...] fw IN SSHFP 1 2 [...] fw IN SSHFP 2 1 [...] fw IN SSHFP 2 2 [...] fw IN SSHFP 3 1 [...] fw IN SSHFP 3 2 [...] fw IN SSHFP 4 1 [...] fw IN SSHFP 4 2 [...]
The patch has been committed and
... will be in the next major release. Thanks for the report.
closing bugs resolved before openssh-8.9